DMVPN Spoke with 2 internet link

jain.nitin · ‎03-01-2013

Hi All,

I am stuck in a situation where we have 2 hubs one in HQ and one in DR site. Both hubs are configured to have different dmvpn cloud. We have some branches with two internet links one adsl and another 3G.

I want to setup dmvpn in such a way so that if adsl goes down then dmvpn tuneel should come up via 3G.

What I know is i would require different tunnels on spoke for achieving this. Currently on each spoke I have two tunnels one terminates on HQ and another terminates on DR and both are live. I am managing routes via eigrp.

My question is that do I need to create another dmvpn cloud for this to work as I can not use same subnet IP on new tunnels which will be having 3G as source ? or shall I create new subnet for tunnels which will work over 3G ??

if i create new tunnel for 3G network then what will be the configuration on HQ & DR as we have only on internet link on DR & HO.

can anybody help me on this ?

just need idea how to achive it. my full dmvpn is working over internet no private mpls....

Jeff Van Houten · ‎03-02-2013

Look on Cco for doc Id 41940. Read the whole thing but concentrate beginning on page 40.

Sent from Cisco Technical Support iPad App

jain.nitin · ‎03-06-2013

I hope there are experts available on forum to suggest ideas....

jain.nitin · ‎03-06-2013

thanks jeff for reply.. the document you have given is very good but does not matching with my scenario...I have HUB on HQ & DR with one internet link at each site. Have spokes with dual internet link terminating on a single router.

Andrew Phirsov · ‎03-07-2013

I think you should create two more VPN-clouds for this.

From configuration point of view,

on the spokes - create two more tunnel interfaces, sourcing from 3g interfaces, and pointing to each hub's only interfaces (You're using DMVPN phase 1, i suppose?)

on each hub create one more tunnel multipoint interface, sourcing from the same interface (i don't think it'll be an issue).

And you'll have to allocate two another subnets to your new clouds.

jain.nitin · ‎03-11-2013

Thanks Andrew....I will try the given solution and update you...

salman abid · ‎03-11-2013

sorry to interrupt
but i need to read the document that is mentioned by

JEFF (Look on Cco for doc Id 41940. Read the whole thing but concentrate beginning on page 40.)

from where i can get this documents

because soon i'm also going to deploy DMVPN

salman abid · ‎03-11-2013

Boss can any body ans my que

from where i can read the document which is mentioned by JEFF

Look on Cco for doc Id 41940. Read the whole thing but concentrate beginning on page 40.

NAGISWAREN2 · ‎03-11-2013

Hi Jain,

You can let HQ and DR in same DMVPN Cloud. In HQ, do Static NHRP MAP to DR and vise versa.

Spoke routers, create two static NHRP Map and NHS.

Tunnel0

description Spoke

ip nhrp map multicast HQ-WAN-IP

ip nhrp map HQ-Tunnel-IP HQ-WAN-IP

ip nhrp map multicast DR-WAN-IP

ip nhrp map DR-Tunnel-IP DR-WAN-IP

ip nhrp network-id 123

ip nhrp holdtime 60

ip nhrp nhs HQ-Tunnel-IP

ip nhrp nhs DR-Tunnel-IP

This will allow you use one DMVPN cloud for two Hub.

Secondly, for spoke failover to 3G, you would need to create another DMVPN Tunnel at HUB and SPOKE router

At HUB, use different Tunnel IP, but tunnel source will be same. In order this to work, i will suggest you to use DMVPN over IPSec. Use Diffrent tunnel key and ip nhrp network-id for both tunnel interface. Use "shared" command when apply ipsec policy in Tunnel interface.

Sample config at Hub( I only show the difference in Tunnel config)

----------------------------------------------------

tunne0

description ***Primary Tunnel***

ip address x.x.x.x

ip nhrp network-id 1

tunnel key 1

tunnel protection ipsec profile TN-DMVPN shared

tunne1

description ***Primary Tunnel***

ip address y.y.y.y

ip nhrp network-id 2

tunnel key 2

tunnel protection ipsec profile TN-DMVPN shared

At Spoke, you configure same as primary tunnel, but make sure to change network-id and tunnel key. Here, you may no need to use "shared" command when apply ipsec policy

Hope this helps.

Regards,

Nagis

Regards, Nagis